npm
5,204,719 packages · npmjs.org
High Security Advisories in npm Clear Filters
High
about 1 year ago
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
npm
rollup
High
about 1 year ago
Plate allows arbitrary DOM attributes in element.attributes and leaf.attributes
npm
@udecode/plate-core
High
about 1 year ago
find-my-way has a ReDoS vulnerability in multiparametric routes
npm
find-my-way
High
about 1 year ago
@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability
npm
@backstage/plugin-techdocs-backend
High
about 1 year ago
@backstage/plugin-catalog-backend Prototype Pollution vulnerability
npm
@backstage/plugin-catalog-backend
High
about 1 year ago
Session is cached for OpenID and OAuth2 if `redirect` is not used
npm
@directus/api, directus
High
about 1 year ago
body-parser vulnerable to denial of service when url encoding is enabled
npm
body-parser
High
about 1 year ago
@actions/artifact has an Arbitrary File Write via artifact extraction
npm
@actions/artifact
High
about 1 year ago
Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries
npm, cargo
@apollo/gateway, @apollo/query-planner, apollo-router
High
about 1 year ago
unzip-stream allows Arbitrary File Write via artifact extraction
npm
unzip-stream
High
over 1 year ago
(ReDoS) Regular Expression Denial of Service in tf2-item-format
npm
tf2-item-format
High
over 1 year ago
Plate media plugins has a XSS in media embed element when using custom URL parsers
npm
@udecode/plate-media
High
over 1 year ago
node-twain vulnerable to Improper Check or Handling of Exceptional Conditions
npm
node-twain
High
over 1 year ago
rejetto HFS vulnerable to OS Command Execution by remote authenticated users
npm
hfs
High
over 1 year ago
ejson shell parser in MongoDB Compass maybe bypassed
npm
@mongodb-js/connection-form
High
over 1 year ago
Prototype pollution in ag-grid-community via the _.mergeDeep function
npm
ag-grid-community, ag-grid-enterprise
High
over 1 year ago
@amoy/common v was discovered to contain a prototype pollution via the function extend
npm
@amoy/common
High
over 1 year ago
frappejs was discovered to contain a prototype pollution via the function registerView
npm
@airvertco/frappejs
High
over 1 year ago
akbr patch-into was discovered to contain a prototype pollution via the function patchInto
npm
@akbr/patch-into
High
over 1 year ago
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
npm
@strapi/plugin-users-permissions
High
over 1 year ago
Directus is soft-locked by providing a string value to random string util
npm
directus
High
over 1 year ago
javascript-deobfuscator crafted payload can lead to code execution
npm
js-deobfuscator
High
over 1 year ago
json-schema-ref-parser Prototype Pollution issue
npm
@apidevtools/json-schema-ref-parser
High
over 1 year ago
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
npm
@cyclonedx/cyclonedx-library
High
over 1 year ago
react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
npm
react-pdf
High
over 1 year ago
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
npm
pdfjs-dist
High
over 1 year ago
s3-url-parser vulnerable to Denial of Service via regexes component
npm
s3-url-parser
High
over 1 year ago
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
npm
uptime-kuma
High
over 1 year ago
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
npm
@conform-to/dom, @conform-to/yup, @conform-to/zod
High
over 1 year ago
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
npm
@hoppscotch/cli
High
over 1 year ago
@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
npm
@hono/node-server
High
over 1 year ago
@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability
npm
@andrei-tatar/nora-firebase-common
High
over 1 year ago
Handling untrusted input can result in a crash, leading to loss of availability / denial of service
npm
@solana/web3.js
High
over 1 year ago
@fastify/secure-session: Reuse of destroyed secure session cookie
npm
@fastify/secure-session
High
over 1 year ago
In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists
npm
@kindspells/astro-shield
High
over 1 year ago
@electron/packager's build process memory potentially leaked into final executable
npm
@electron/packager
High
over 1 year ago
Content-Security-Policy header generation in middleware could be compromised by malicious injections
npm
@kindspells/astro-shield
High
over 1 year ago
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation
npm
@oneuptime/common-server, @oneuptime/model
High
over 1 year ago
TurboBoost Commands vulnerable to arbitrary method invocation
npm, rubygems
@turbo-boost/commands, turbo_boost-commands
High
over 1 year ago
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
npm
app-builder-lib
High
over 1 year ago
`@backstage/backend-common` vulnerable to path traversal through symlinks
npm
@backstage/backend-common
High
over 1 year ago
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
npm
meshcentral
High
over 1 year ago
GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`
npm
@scrypted/core, @scrypted/server
High
over 1 year ago
React Native Document Picker Directory Traversal vulnerability
npm
react-native-document-picker
Filter by Severity
Filter by Package
parse-server
16
flowise
12
electron
12
next
11
directus
11
@anthropic-ai/claude-code
9
@strapi/strapi
7
strapi
7
tar
7
sequelize
6
matrix-js-sdk
6
npm
6
handlebars
6
@openzeppelin/contracts
6
express-cart
6
n8n
5
@haxtheweb/haxcms-nodejs
5
ua-parser-js
5
@openzeppelin/contracts-upgradeable
5
serve
5
axios
5
systeminformation
5
total.js
4
shescape
4
marked
4
qs
4
tar-fs
4
nocodb
4
multer
4
muhammara
4
@strapi/plugin-users-permissions
4
ckeditor4
4
prismjs
4
matrix-react-sdk
4
yarn
4
hapi
4
auth0-js
4
@apollo/gateway
4
generator-jhipster
4
@finos/git-proxy
4
openpgp
4
awsiotsdk
3
meshcentral
3
@commercial/subtext
3
rendertron
3
convert-svg-core
3
jspdf
3
mermaid
3
steal
3
fastify
3
ids-enterprise
3
lodash
3
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
3
socket.io-file
3
moment
3
highcharts
3
@uppy/companion
3
ghost
3
node-opcua
3
open-webui
3
remarkable
3
keystone
3
@sveltejs/kit
3
next-auth
3
ws
3
open-webui
3
passport-wsfed-saml2
3
ecstatic
3
aws-iot-device-sdk-v2
3
jsrsasign
3
hermes-engine
3
simple-git
3
@backstage/plugin-scaffolder-backend
3
localhost-now
3
node-forge
3
vite
3
@nguniversal/common
2
financejs
2
@saltcorn/server
2
@kindspells/astro-shield
2
sqlite3
2
node-saml
2
glob-parent
2
debug
2
mout
2
css-what
2
rollup-plugin-server
2
mcstatic
2
is-svg
2
lodash.mergewith
2
fs-git
2
loader-utils
2
@directus/api
2
grunt
2
dompurify
2
buttle
2
typeorm
2
undici
2
mixme
2
semver
2
@tinacms/cli
2
decal
2
@discordjs/opus
2
node-jose
2
code-server
2
lodash.merge
2
fuxa-server
2
hummus
2
pdfjs-dist
2
jquery-validation
2
react-router
2
http-proxy
2
http-live-simulator
2
angular-expressions
2
sails
2
snyk
2
urijs
2
cached-path-relative
2
detect-character-encoding
2
@angular/ssr
2
uptime-kuma
2
@cubejs-backend/api-gateway
2
@evershop/evershop
2
jointjs
2
merge
2
@npmcli/arborist
2
deep-get-set
2
tiny-secp256k1
2
xdLocalStorage
2
lodash.defaultsdeep
2
minimatch
2
erxes
2
json-ptr
2
engine.io
2
nodebb
2
nuxt-api-party
2
@nubosoftware/node-static
2
assign-deep
2
@frangoteam/fuxa
2
bmoor
2
@solana/web3.js
2
hawk
2
loopback-connector-mongodb
2
joplin
2
dojo
2
oauth2-server
2
hono
2
path-to-regexp
2
total4
2
vp-toolkit
2
convict
2
codecov
2
@fastify/multipart
2
fast-xml-parser
2
@strikeentco/set
2
mqtt-packet
2
astro
2
@plone/volto
2
@modelcontextprotocol/server-filesystem
2
angular
2
mongoose
2
pnpm
2
eta
2
rsshub
2
@auth0/nextjs-auth0
2
immer
2
simple-markdown
2
mongosh
2
flowise-components
2
object-path
2
xlsx
2
Moment.js
2
content
2
devcert
2
squirrelly
2
matrix-appservice-irc
2
@theia/mini-browser
2
yjmyjmyjm
1
unicorn-list
1
decode-uri-component
1
tmpl
1
@pnpm/win-x64
1
serverabc
1
http-proxy-middleware
1
simple-get
1
express-openid-connect
1
@chainsafe/lodestar
1
js-yaml
1
git-promise
1
tough-cookie
1
is-user-valid
1
underscore-keypath
1
node-stringbuilder
1
jqueryfiletree
1
osm-static-maps
1
@executeautomation/database-server
1
fancy-server
1
@conform-to/zod
1
json8-merge-patch
1
electron-pdf
1
Filter by Repository
https://github.com/parse-community/parse-server
16
https://github.com/electron/electron
12
https://github.com/directus/directus
12
https://github.com/strapi/strapi
11
https://github.com/FlowiseAI/Flowise
10
https://github.com/anthropics/claude-code
9
https://github.com/vercel/next.js
9
https://github.com/backstage/backstage
8
https://github.com/OpenZeppelin/openzeppelin-contracts
6
https://github.com/npm/node-tar
6
https://github.com/matrix-org/matrix-js-sdk
6
https://github.com/sequelize/sequelize
6
https://github.com/n8n-io/n8n
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/axios/axios
5
https://github.com/sebhildebrandt/systeminformation
5
https://github.com/haxtheweb/issues
5
https://github.com/jhipster/generator-jhipster
4
https://github.com/finos/git-proxy
4
https://github.com/openpgpjs/openpgpjs
4
https://github.com/node-opcua/node-opcua
4
https://github.com/totaljs/framework
4
https://github.com/saltcorn/saltcorn
4
https://github.com/nocodb/nocodb
4
https://github.com/ckeditor/ckeditor4
4
https://github.com/mafintosh/tar-fs
4
https://github.com/matrix-org/matrix-react-sdk
4
https://github.com/PrismJS/prism
4
https://github.com/ericcornelissen/shescape
4
https://github.com/expressjs/multer
4
https://github.com/npm/cli
4
https://github.com/jonschlinkert/remarkable
3
https://github.com/aws/aws-iot-device-sdk-java-v2
3
https://github.com/highcharts/highcharts
3
https://github.com/udecode/plate
3
https://github.com/steveukx/git-js
3
https://github.com/TryGhost/Ghost
3
https://github.com/lodash/lodash
3
https://github.com/transloadit/uppy
3
https://github.com/handlebars-lang/handlebars.js
3
https://github.com/cure53/DOMPurify
3
https://github.com/sveltejs/kit
3
https://github.com/balderdashy/sails
3
https://github.com/hapijs/subtext
3
https://github.com/moment/moment
3
https://github.com/Ylianst/MeshCentral
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/vitejs/vite
3
https://github.com/GoogleChrome/rendertron
3
https://github.com/remix-run/react-router
3
https://github.com/gatsbyjs/gatsby
3
https://github.com/Marak/colors.js
3
https://github.com/digitalbazaar/forge
3
https://github.com/apollographql/federation
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/auth0/passport-wsfed-saml2
3
https://github.com/npm/npm
3
https://github.com/ofirdagan/cross-domain-local-storage
3
https://github.com/mozilla/pdf.js
3
https://github.com/mrvautin/expressCart
3
https://github.com/keystonejs/keystone
3
https://github.com/fastify/fastify
3
https://github.com/withastro/astro
3
https://github.com/fastify/fastify-multipart
3
https://github.com/facebook/hermes
3
https://github.com/kjur/jsrsasign
3
https://github.com/stealjs/steal
3
https://github.com/nextauthjs/next-auth
3
https://github.com/yarnpkg/yarn
3
https://github.com/solana-labs/solana-web3.js
2
https://github.com/DCKT/localhost-now
2
https://github.com/jonschlinkert/assign-deep
2
https://github.com/oauthjs/node-oauth2-server
2
https://github.com/ag-grid/ag-grid
2
https://github.com/markedjs/marked
2
https://github.com/eta-dev/eta
2
https://github.com/clientIO/joint
2
https://github.com/VulnSageAgent/PoCs
2
https://github.com/NaturalIntelligence/fast-xml-parser
2
https://github.com/hapijs/hoek
2
https://github.com/tinacms/tinacms
2
https://github.com/websockets/ws
2
https://github.com/julianhille/MuhammaraJS
2
https://github.com/sindresorhus/is-svg
2
https://github.com/louislam/uptime-kuma
2
https://github.com/fb55/css-what
2
https://github.com/npm/arborist
2
https://github.com/vivaxy/here
2
https://github.com/jquery-validation/jquery-validation
2
https://github.com/dimpu/ngx-md
2
https://github.com/honojs/hono
2
https://github.com/electron-userland/electron-builder
2
https://github.com/auth0/nextjs-auth0
2
https://github.com/nuxt/nuxt
2
https://github.com/open-webui/open-webui
2
https://github.com/immerjs/immer
2
https://github.com/418sec/json-ptr
2
https://github.com/beerpwn/CVE
2
https://github.com/neocotic/convert-svg
2
https://github.com/peerigon/angular-expressions
2
https://github.com/pillarjs/path-to-regexp
2
https://github.com/ariabuckles/simple-markdown
2
https://github.com/typeorm/typeorm
2
https://github.com/OrangeShieldInfos/PoCs
2
https://github.com/debug-js/debug
2
https://github.com/chjj/marked
2
https://github.com/erxes/erxes
2
https://github.com/plone/volto
2
https://github.com/cloudhead/node-static
2
https://github.com/johannschopplich/nuxt-api-party
2
https://github.com/adaltas/node-mixme
2
https://github.com/DIYgod/RSSHub
2
https://github.com/VulnSphere/LLMVulnSphere
2
https://github.com/mozilla/node-convict
2
https://github.com/modelcontextprotocol/servers
2
https://github.com/eclipse-theia/theia
2
https://github.com/ebradyjobory/finance.js
2
https://github.com/strikeentco/set
2
https://github.com/vvakame/fs-git
2
https://github.com/gruntjs/grunt
2
https://github.com/ljharb/qs
2
https://github.com/pnpm/pnpm
2
https://github.com/TryGhost/node-sqlite3
2
https://github.com/discordjs/opus
2
https://github.com/cube-js/cube.js
2
https://github.com/ashaffer/cached-path-relative
2
https://github.com/dojo/dojo
2
https://github.com/apollographql/apollo-server
2
https://github.com/sonicdoe/detect-character-encoding
2
https://github.com/matrix-org/matrix-appservice-irc
2
https://github.com/parallax/jsPDF
2
https://github.com/mariocasciaro/object-path
2
https://github.com/webpack/loader-utils
2
https://github.com/rabobank-blockchain/vp-toolkit
2
https://github.com/nodejs/undici
2
https://github.com/bitcoinjs/tiny-secp256k1
2
https://github.com/rico345100/socket.io-file
2
https://github.com/evershopcommerce/evershop
2
https://github.com/mout/mout
2
https://github.com/gigafied/decal.js
2
https://github.com/socketio/engine.io
2
https://github.com/galkahana/HummusJS
2
https://github.com/b-heilman/bmoor
2
https://github.com/cisco/node-jose
2
https://github.com/squirrellyjs/squirrelly
2
https://github.com/TanStack/query
1
https://github.com/sindresorhus/file-type
1
https://github.com/carlos8f/node-accesslog
1
https://github.com/vesse/node-ldapauth-fork
1
https://github.com/DataDog/import-in-the-middle
1
https://github.com/mscdex/ssh2
1
https://github.com/sammcj/mcp-package-docs
1
https://github.com/bruno-robert/window-control
1
https://github.com/QuorumDMS/ftp-srv
1
https://github.com/DylanPiercey/local-devices
1
https://github.com/Prestaul/skeemas
1
https://github.com/FixedOctocat/CVE-2024-25466
1
https://github.com/natelong/p4
1
https://github.com/dorattias/CVE-2025-26319
1
https://github.com/MateusTesser/CVE-2023-31718
1
https://github.com/uWebSockets/uWebSockets
1
https://github.com/buefy/buefy
1
https://github.com/Ranks/emojione
1
https://github.com/iden3/snarkjs
1
https://github.com/cliftonc/calipso
1
https://github.com/ua-parser/uap-core
1
https://github.com/mde/utilities
1
https://github.com/creharmony/node-etsy-client
1
https://github.com/libxmljs/libxmljs
1
https://github.com/expressjs/connect-multiparty
1
https://github.com/jonschlinkert/defaults-deep
1
https://github.com/rollup/rollup
1
https://github.com/bootstrap-tagsinput/bootstrap-tagsinput
1
https://github.com/AlgoRythm-Dylan/httpserv
1
https://github.com/mcollina/mosca
1
https://github.com/JoeScho/get-ip-range
1
https://github.com/demergent-labs/azle
1
https://github.com/mat-sz/lettersanitizer
1
https://github.com/facebook/react-native
1
https://github.com/prisma-labs/graphql-playground
1
https://github.com/indutny/elliptic
1
https://github.com/phulelouch/CVEs
1
https://github.com/NodeBB/NodeBB
1
https://github.com/gemini-testing/png-img
1
https://github.com/npm/node-semver
1
https://github.com/cdr/code-server
1
https://github.com/JPeer264/node-git-commit-info
1
https://github.com/geddy/geddy
1
https://github.com/curveball/a12n-server
1
https://github.com/nodejs/llhttp
1
https://github.com/mercurius-js/mercurius
1
https://github.com/opensearch-project/OpenSearch-Dashboards
1
https://github.com/auth0/lock
1
https://github.com/nodejitsu/node-http-proxy
1
https://github.com/williamkapke/bson-objectid
1
https://github.com/mhr3/unzip-stream
1
https://github.com/zeit/next.js
1
https://github.com/Turistforeningen/node-im-metadata
1